Rule 31106

320 views
Skip to first unread message

rob

unread,
Mar 19, 2010, 5:37:29 AM3/19/10
to ossec-list
Hi Guys

I need more info around the rule 31106 and what it does. There is
nothing on the wiki on ossec.net. I recieve the following alert:

Rule: 31106 fired (level 12) -> "A web attack returned code 200
(success)."
Portion of the log(s):

18/Mar/2010:12:39:43 +0200] "GET /URL?mu=74bffe75-
b11b-4f6a-9bf4-4434d906b98a&mp=&token=3150ce37-
a8bb-4c31-8ada-8b313a7ec055&mn=TEXT&ttuText=Hi+there%0D%0A%0D%0AIs+it
+possible+to+text+%22text%22+text%27text.+text%3F%0D%0A%0D%0AThanks%0D
%0 HTTP/1.0" 200 18 "-" "-"

The alerts has been modified a bit but the message is still the same.
Why did it get set off?
Was it the %22text%22 section of the message?

Thanks Robert

Nerijus Krukauskas

unread,
Mar 19, 2010, 10:39:57 AM3/19/10
to ossec...@googlegroups.com
Hi,

OSSEC is open source. It should be fairly easy to take a look at what
the rule 31106 is about. :)

It references rule 31103, which looks for things like:
<url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>
And it references rule 31104, which looks for:
<url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url>
<url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
<url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</url>
<url>cat%|exec%|rm%20</url>
And it references rule 31105, which looks for:
<url>%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
<url>%20ONLOAD=|INPUT%20|iframe%20</url>

Now it is an exercise for you. :) Find if any of those match your log.
If yes, then you're under attack. If no, it might be a false positive.
And I might overlooked some more references to other rules...

> To unsubscribe from this group, send email to
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words
> "REMOVE ME" as the subject.
>


--
http://nk99.org/

oscar schneider

unread,
Mar 19, 2010, 10:30:18 AM3/19/10
to ossec...@googlegroups.com
Cf. the files in {$OSSECDIR}/rules/

There you will find a xml file called web_rules.xml
Within that file you will find rule 31106:

  <rule id="31106" level="12">
    <if_sid>31103, 31104, 31105</if_sid>
    <id>^200</id>
    <description>A web attack returned code 200 (success).</description>
    <group>attack,</group>
  </rule>

It states that if an event matches rule 31103-31105 (located in the same file, they are scanning for url patterns that might resemble a web attack) and the decoder extracted an ID starting with the string "200", a web attack probably was succesful.

The message that matched the rule includes that a HTTP GET request for that long URL happened. 
%22text%22 is a part of that URL.


Michael Starks

unread,
Mar 20, 2010, 12:19:28 PM3/20/10
to ossec...@googlegroups.com
rob wrote:

> Rule: 31106 fired (level 12) -> "A web attack returned code 200
> (success)."
> Portion of the log(s):
>
> 18/Mar/2010:12:39:43 +0200] "GET /URL?mu=74bffe75-
> b11b-4f6a-9bf4-4434d906b98a&mp=&token=3150ce37-
> a8bb-4c31-8ada-8b313a7ec055&mn=TEXT&ttuText=Hi+there%0D%0A%0D%0AIs+it
> +possible+to+text+%22text%22+text%27text.+text%3F%0D%0A%0D%0AThanks%0D
> %0 HTTP/1.0" 200 18 "-" "-"

As other have noted, this is basically an indication that there was an
attack pattern triggered, followed by a 200 (success). I have found this
rule to be somewhat unreliable since HTTP is stateless and the original
rule that was triggered could be a false positive. Bottom line: tuning
is required.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com

Reply all
Reply to author
Forward
0 new messages